acme: fill Subject CN field in the tls-sni challenge certs
This is purely for debugging purposes, where an external system
may have a lookup mechanism based on Common Name.
Change-Id: I50b64ccf82e67fe8a0074a6f9b57e8cf102f1bb3
Reviewed-on: https://go-review.googlesource.com/71130
Run-TryBot: Alex Vaghin <ddos@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
diff --git a/acme/acme.go b/acme/acme.go
index e8388b0..60dbb11 100644
--- a/acme/acme.go
+++ b/acme/acme.go
@@ -995,6 +995,7 @@
// tlsChallengeCert creates a temporary certificate for TLS-SNI challenges
// with the given SANs and auto-generated public/private key pair.
+// The Subject Common Name is set to the first SAN to aid debugging.
// To create a cert with a custom key pair, specify WithKey option.
func tlsChallengeCert(san []string, opt []CertOption) (tls.Certificate, error) {
var (
@@ -1033,6 +1034,9 @@
}
}
tmpl.DNSNames = san
+ if len(san) > 0 {
+ tmpl.Subject.CommonName = san[0]
+ }
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key)
if err != nil {
diff --git a/acme/acme_test.go b/acme/acme_test.go
index 14832de..b44af59 100644
--- a/acme/acme_test.go
+++ b/acme/acme_test.go
@@ -1186,6 +1186,9 @@
if cert.DNSNames[0] != name {
t.Errorf("cert.DNSNames[0] != name: %q vs %q", cert.DNSNames[0], name)
}
+ if cn := cert.Subject.CommonName; cn != san {
+ t.Errorf("cert.Subject.CommonName = %q; want %q", cn, san)
+ }
}
func TestTLSSNI02ChallengeCert(t *testing.T) {
@@ -1219,6 +1222,9 @@
if i >= len(cert.DNSNames) || cert.DNSNames[i] != name {
t.Errorf("%v doesn't have %q", cert.DNSNames, name)
}
+ if cn := cert.Subject.CommonName; cn != sanA {
+ t.Errorf("CommonName = %q; want %q", cn, sanA)
+ }
}
func TestTLSChallengeCertOpt(t *testing.T) {